CVE-2015-2857
published 2017-08-22CVE-2015-2857: Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter.
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
84.18%
99.7th percentile
Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| accellion | file_transfer_appliance | <= 9_11_200 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /tws/getStatus, /seos/find.api, /seos/put.api, or /seos/mput.api containing shell metacharacters (e.g., single quotes and semicolons) in the oauth_token parameter. ↗
- →Look for POST requests to /tws/getStatus with an oauth_token value matching the pattern ';...;echo ' as the injection payload wrapper. ↗
- →A successful exploitation attempt returns HTTP 200 with JSON body containing '"result_msg":"Success","transaction_id":"'; alert on this response to a request with a malformed/injected oauth_token. ↗
- →A probe/check request sends oauth_token=invalid and expects '"result_msg":"MD5 token is invalid"'; subsequent injection attempt with metacharacters returning Success indicates a vulnerable host. ↗
- →Monitor execution of /opt/bin/perl /home/seos/system/call_webservice.pl with unexpected arguments or child processes, which indicates successful exploitation of the oauth_token injection. ↗
- ·The exploit targets port 443 with SSL enabled by default; detection rules should account for HTTPS traffic and may require SSL inspection to inspect the oauth_token POST parameter. ↗
- ·The vulnerability was confirmed on FTA_9_11_200 but may affect earlier versions; detection should not be scoped only to that specific version. ↗
- ·Multiple endpoints are vulnerable beyond /tws/getStatus; detection coverage must include /seos/find.api, /seos/put.api, and /seos/mput.api. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Accellion FTA - getStatus verify_oauth_token Command Execution (Metasploit)
exploitdb·2015-07-13
CVE-2015-2857 Accellion FTA - getStatus verify_oauth_token Command Execution (Metasploit)
Accellion FTA - getStatus verify_oauth_token Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Accellion FTA getStatus verify_oauth_token Command Execution',
'Description' => %q{
This module exploits a metacharacter shell injection vulnerability in the Accellion
File Transfer appliance. This vulnerability is triggered when a user-provided
'oauth_token' is passed into a system() call within a mod_perl handler. This
module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include
'/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on
version FTA_9_11_200, but may apply to previous versi
Metasploit
Accellion FTA getStatus verify_oauth_token Command Execution
metasploit
Accellion FTA getStatus verify_oauth_token Command Execution
Accellion FTA getStatus verify_oauth_token Command Execution
This module exploits a metacharacter shell injection vulnerability in the Accellion File Transfer appliance. This vulnerability is triggered when a user-provided 'oauth_token' is passed into a system() call within a mod_perl handler. This module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include '/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on version FTA_9_11_200, but may apply to previous versions as well. This issue was fixed in software update FTA_9_11_210.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/132665/Accellion-FTA-getStatus-verify_oauth_token-Command-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/linux/http/accellion_fta_getstatus_oauthhttps://community.rapid7.com/community/metasploit/blog/2015/07/10/r7-2015-08-accellion-file-transfer-appliance-vulnerabilities-cve-2015-2856-cve-2015-2857https://www.exploit-db.com/exploits/37597/http://packetstormsecurity.com/files/132665/Accellion-FTA-getStatus-verify_oauth_token-Command-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/linux/http/accellion_fta_getstatus_oauthhttps://community.rapid7.com/community/metasploit/blog/2015/07/10/r7-2015-08-accellion-file-transfer-appliance-vulnerabilities-cve-2015-2856-cve-2015-2857https://www.exploit-db.com/exploits/37597/
2017-08-22
Published